Make it possible to set global default random used inside providers and simplify JDK provider setup

Author: whyoleg

cryptography-core/api/cryptography-core.api

@@ -75,9 +75,11 @@ public abstract interface class dev/whyoleg/cryptography/CryptographyProviderCon
 public final class dev/whyoleg/cryptography/CryptographySystem {
 	public static final field INSTANCE Ldev/whyoleg/cryptography/CryptographySystem;
 	public final fun getDefaultProvider ()Ldev/whyoleg/cryptography/CryptographyProvider;
+	public final fun getDefaultRandom ()Ldev/whyoleg/cryptography/random/CryptographyRandom;
 	public final fun getRegisteredProviders ()Ljava/util/List;
 	public final fun registerProvider (Lkotlin/Lazy;I)V
 	public final fun setDefaultProvider (Ldev/whyoleg/cryptography/CryptographyProvider;)V
+	public final fun setDefaultRandom (Ldev/whyoleg/cryptography/random/CryptographyRandom;)V
 }
 
 public abstract interface annotation class dev/whyoleg/cryptography/DelicateCryptographyApi : java/lang/annotation/Annotation {

cryptography-core/api/cryptography-core.klib.api

@@ -835,7 +835,9 @@ final object dev.whyoleg.cryptography.algorithms/SHA512 : dev.whyoleg.cryptograp
 
 final object dev.whyoleg.cryptography/CryptographySystem { // dev.whyoleg.cryptography/CryptographySystem|null[0]
     final fun getDefaultProvider(): dev.whyoleg.cryptography/CryptographyProvider // dev.whyoleg.cryptography/CryptographySystem.getDefaultProvider|getDefaultProvider(){}[0]
+    final fun getDefaultRandom(): dev.whyoleg.cryptography.random/CryptographyRandom // dev.whyoleg.cryptography/CryptographySystem.getDefaultRandom|getDefaultRandom(){}[0]
     final fun getRegisteredProviders(): kotlin.collections/List<dev.whyoleg.cryptography/CryptographyProvider> // dev.whyoleg.cryptography/CryptographySystem.getRegisteredProviders|getRegisteredProviders(){}[0]
     final fun registerProvider(kotlin/Lazy<dev.whyoleg.cryptography/CryptographyProvider>, kotlin/Int) // dev.whyoleg.cryptography/CryptographySystem.registerProvider|registerProvider(kotlin.Lazy<dev.whyoleg.cryptography.CryptographyProvider>;kotlin.Int){}[0]
     final fun setDefaultProvider(dev.whyoleg.cryptography/CryptographyProvider) // dev.whyoleg.cryptography/CryptographySystem.setDefaultProvider|setDefaultProvider(dev.whyoleg.cryptography.CryptographyProvider){}[0]
+    final fun setDefaultRandom(dev.whyoleg.cryptography.random/CryptographyRandom) // dev.whyoleg.cryptography/CryptographySystem.setDefaultRandom|setDefaultRandom(dev.whyoleg.cryptography.random.CryptographyRandom){}[0]
 }

cryptography-core/src/commonMain/kotlin/CryptographySystem.kt

@@ -4,6 +4,8 @@
 
 package dev.whyoleg.cryptography
 
+import dev.whyoleg.cryptography.random.*
+
 // thread-unsafe, mutations should be used only during APP initialzation if needed
 public object CryptographySystem {
     private val impl = CryptographySystemImpl()
@@ -12,15 +14,16 @@ public object CryptographySystem {
         loadProviders()
     }
 
-    public fun getDefaultProvider(): CryptographyProvider = impl.getDefaultProvider()
-
     // can be called at-most-once before calling `getDefaultProvider`
     public fun setDefaultProvider(provider: CryptographyProvider): Unit = impl.setDefaultProvider(provider)
-
-    public fun getRegisteredProviders(): List<CryptographyProvider> = impl.getRegisteredProviders()
+    public fun getDefaultProvider(): CryptographyProvider = impl.getDefaultProvider()
 
     // lower priority is better
     public fun registerProvider(provider: Lazy<CryptographyProvider>, priority: Int): Unit = impl.registerProvider(provider, priority)
+    public fun getRegisteredProviders(): List<CryptographyProvider> = impl.getRegisteredProviders()
+
+    public fun setDefaultRandom(random: CryptographyRandom): Unit = impl.setDefaultRandom(random)
+    public fun getDefaultRandom(): CryptographyRandom = impl.getDefaultRandom()
 }
 
 // to be able to test this
@@ -42,6 +45,11 @@ internal class CryptographySystemImpl {
         }
     }
 
+    private var defaultRandom: CryptographyRandom? = null
+    private val lazyDefaultRandom = lazy {
+        defaultRandom ?: CryptographyRandom.Default
+    }
+
     fun getDefaultProvider(): CryptographyProvider = lazyDefaultProvider.value
 
     // can be called at-most-once before calling `getDefaultProvider`
@@ -68,6 +76,15 @@ internal class CryptographySystemImpl {
         registeredProviders[priority] = provider
     }
 
+    fun setDefaultRandom(random: CryptographyRandom) {
+        check(!lazyDefaultRandom.isInitialized()) { "Cannot set default random after `getDefaultRandom` was called" }
+        check(defaultRandom == null) { "Default random already set" }
+
+        defaultRandom = random
+    }
+
+    fun getDefaultRandom(): CryptographyRandom = lazyDefaultRandom.value
+
     @OptIn(CryptographyProviderApi::class)
     private class CompositeProvider(
         private val providers: List<CryptographyProvider>,

cryptography-core/src/commonTest/kotlin/CryptographySystemTest.kt

@@ -4,12 +4,48 @@
 
 package dev.whyoleg.cryptography
 
+import dev.whyoleg.cryptography.random.*
 import kotlin.test.*
 
 @OptIn(CryptographyProviderApi::class)
 class CryptographySystemTest {
     private fun testSystem(block: (system: CryptographySystemImpl) -> Unit) = block(CryptographySystemImpl())
 
+    @Test
+    fun getDefaultRandomReturnsDefaultIfNotSet() = testSystem { system ->
+        assertEquals(CryptographyRandom.Default, system.getDefaultRandom())
+    }
+
+    @Test
+    fun getDefaultRandomReturnsExplicitlySetProvider() = testSystem { system ->
+        val random = TestRandom()
+        system.setDefaultRandom(random)
+        assertEquals(random, system.getDefaultRandom())
+    }
+
+    @Test
+    fun setDefaultRandomThrowsErrorIfAlreadySet() = testSystem { system ->
+        val random = TestRandom()
+        system.setDefaultRandom(random)
+
+        val exception = assertFailsWith<IllegalStateException> {
+            system.setDefaultRandom(random)
+        }
+        assertEquals("Default random already set", exception.message)
+    }
+
+    @Test
+    fun setDefaultRandomThrowsErrorIfAlreadyAccessed() = testSystem { system ->
+        val random = TestRandom()
+
+        assertEquals(CryptographyRandom.Default, system.getDefaultRandom())
+
+        val exception = assertFailsWith<IllegalStateException> {
+            system.setDefaultRandom(random)
+        }
+        assertEquals("Cannot set default random after `getDefaultRandom` was called", exception.message)
+    }
+
     @Test
     fun registerProviderThrowsErrorWhenPriorityIsDuplicated() = testSystem { system ->
         val provider1 = TestCryptographyProvider("Provider1")
@@ -195,4 +231,10 @@ class CryptographySystemTest {
     class TestAlgorithm(override val id: CryptographyAlgorithmId<*>) : CryptographyAlgorithm
 
     class TestAlgorithmId(name: String) : CryptographyAlgorithmId<TestAlgorithm>(name)
+
+    class TestRandom : CryptographyRandom() {
+        override fun nextBits(bitCount: Int): Int {
+            TODO("Not yet implemented")
+        }
+    }
 }

cryptography-providers/apple/src/commonMain/kotlin/algorithms/CCAes.kt

@@ -1,13 +1,12 @@
 /*
- * Copyright (c) 2024 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ * Copyright (c) 2024-2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
  */
 
 package dev.whyoleg.cryptography.providers.apple.algorithms
 
 import dev.whyoleg.cryptography.*
 import dev.whyoleg.cryptography.algorithms.*
 import dev.whyoleg.cryptography.materials.key.*
-import dev.whyoleg.cryptography.random.*
 
 internal abstract class CCAes<K : AES.Key> : AES<K> {
     protected abstract fun wrapKey(key: ByteArray): K
@@ -31,7 +30,7 @@ internal abstract class CCAes<K : AES.Key> : AES<K> {
 
     private inner class AesCtrKeyGenerator(private val keySizeBytes: Int) : KeyGenerator<K> {
         override fun generateKeyBlocking(): K {
-            val key = CryptographyRandom.nextBytes(keySizeBytes)
+            val key = CryptographySystem.getDefaultRandom().nextBytes(keySizeBytes)
             return wrapKey(key)
         }
     }

cryptography-providers/apple/src/commonMain/kotlin/algorithms/CCAesIvCipher.kt

@@ -1,13 +1,13 @@
 /*
- * Copyright (c) 2024 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ * Copyright (c) 2024-2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
  */
 
 package dev.whyoleg.cryptography.providers.apple.algorithms
 
+import dev.whyoleg.cryptography.*
 import dev.whyoleg.cryptography.providers.apple.internal.*
 import dev.whyoleg.cryptography.providers.base.algorithms.*
 import dev.whyoleg.cryptography.providers.base.operations.*
-import dev.whyoleg.cryptography.random.*
 import platform.CoreCrypto.*
 
 internal class CCAesIvCipher(
@@ -19,7 +19,7 @@ internal class CCAesIvCipher(
     private val validateCiphertextInputSize: (Int) -> Unit = {},
 ) : BaseAesIvCipher {
     override fun createEncryptFunction(): CipherFunction {
-        val iv = CryptographyRandom.nextBytes(ivSize)
+        val iv = CryptographySystem.getDefaultRandom().nextBytes(ivSize)
         return BaseAesImplicitIvEncryptFunction(iv, createEncryptFunctionWithIv(iv))
     }
 

cryptography-providers/apple/src/commonMain/kotlin/algorithms/CCHmac.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023-2024 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ * Copyright (c) 2023-2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
  */
 
 package dev.whyoleg.cryptography.providers.apple.algorithms
@@ -10,7 +10,6 @@ import dev.whyoleg.cryptography.materials.key.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.apple.internal.*
 import dev.whyoleg.cryptography.providers.base.*
-import dev.whyoleg.cryptography.random.*
 import kotlinx.cinterop.*
 import platform.CoreCrypto.*
 
@@ -54,7 +53,7 @@ private class HmacKeyGenerator(
     private val digestSize: Int,
 ) : KeyGenerator<HMAC.Key> {
     override fun generateKeyBlocking(): HMAC.Key {
-        val key = CryptographyRandom.nextBytes(blockSize)
+        val key = CryptographySystem.getDefaultRandom().nextBytes(blockSize)
         return wrapKey(hmacAlgorithm, key, digestSize)
     }
 }

cryptography-providers/cryptokit/src/commonMain/kotlin/algorithms/CryptoKitAesGcm.kt

@@ -13,7 +13,6 @@ import dev.whyoleg.cryptography.providers.base.algorithms.*
 import dev.whyoleg.cryptography.providers.base.operations.*
 import dev.whyoleg.cryptography.providers.cryptokit.internal.*
 import dev.whyoleg.cryptography.providers.cryptokit.internal.swiftinterop.*
-import dev.whyoleg.cryptography.random.*
 
 internal object CryptoKitAesGcm : AES.GCM {
     override fun keyDecoder(): KeyDecoder<AES.Key.Format, AES.GCM.Key> = AesKeyDecoder()
@@ -35,7 +34,7 @@ private class AesKeyDecoder : KeyDecoder<AES.Key.Format, AES.GCM.Key> {
 
 private class AesGcmKeyGenerator(private val keySizeBytes: Int) : KeyGenerator<AES.GCM.Key> {
     override fun generateKeyBlocking(): AES.GCM.Key {
-        val key = CryptographyRandom.nextBytes(keySizeBytes)
+        val key = CryptographySystem.getDefaultRandom().nextBytes(keySizeBytes)
         return AesGcmKey(key)
     }
 }
@@ -59,7 +58,7 @@ private class AesGcmCipher(
     private val ivSize: Int get() = 12
 
     override fun createEncryptFunction(associatedData: ByteArray?): CipherFunction {
-        val iv = CryptographyRandom.nextBytes(ivSize)
+        val iv = CryptographySystem.getDefaultRandom().nextBytes(ivSize)
         return BaseAesImplicitIvEncryptFunction(iv, createEncryptFunctionWithIv(iv, associatedData))
     }
 

cryptography-providers/cryptokit/src/commonMain/kotlin/algorithms/CryptoKitHmac.kt

@@ -10,7 +10,6 @@ import dev.whyoleg.cryptography.materials.key.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.base.*
 import dev.whyoleg.cryptography.providers.cryptokit.internal.swiftinterop.*
-import dev.whyoleg.cryptography.random.*
 import kotlinx.cinterop.*
 import platform.CoreCrypto.*
 import platform.Foundation.*
@@ -58,7 +57,7 @@ private class HmacKeyGenerator(
     private val digestSize: Int,
 ) : KeyGenerator<HMAC.Key> {
     override fun generateKeyBlocking(): HMAC.Key {
-        val key = CryptographyRandom.nextBytes(blockSize)
+        val key = CryptographySystem.getDefaultRandom().nextBytes(blockSize)
         return HmacKey(key, algorithm, digestSize)
     }
 }

cryptography-providers/jdk/api/cryptography-provider-jdk.api

@@ -3,9 +3,11 @@ public abstract interface class dev/whyoleg/cryptography/providers/jdk/DefaultJd
 }
 
 public final class dev/whyoleg/cryptography/providers/jdk/JdkCryptographyProviderKt {
+	public static final fun JDK (Ldev/whyoleg/cryptography/CryptographyProvider$Companion;)Ldev/whyoleg/cryptography/CryptographyProvider;
 	public static final fun JDK (Ldev/whyoleg/cryptography/CryptographyProvider$Companion;Ldev/whyoleg/cryptography/random/CryptographyRandom;)Ldev/whyoleg/cryptography/CryptographyProvider;
 	public static final fun JDK (Ldev/whyoleg/cryptography/CryptographyProvider$Companion;Ljava/lang/String;Ldev/whyoleg/cryptography/random/CryptographyRandom;)Ldev/whyoleg/cryptography/CryptographyProvider;
 	public static final fun JDK (Ldev/whyoleg/cryptography/CryptographyProvider$Companion;Ljava/lang/String;Ljava/security/SecureRandom;)Ldev/whyoleg/cryptography/CryptographyProvider;
+	public static final fun JDK (Ldev/whyoleg/cryptography/CryptographyProvider$Companion;Ljava/security/Provider;)Ldev/whyoleg/cryptography/CryptographyProvider;
 	public static final fun JDK (Ldev/whyoleg/cryptography/CryptographyProvider$Companion;Ljava/security/Provider;Ldev/whyoleg/cryptography/random/CryptographyRandom;)Ldev/whyoleg/cryptography/CryptographyProvider;
 	public static final fun JDK (Ldev/whyoleg/cryptography/CryptographyProvider$Companion;Ljava/security/Provider;Ljava/security/SecureRandom;)Ldev/whyoleg/cryptography/CryptographyProvider;
 	public static final fun JDK (Ldev/whyoleg/cryptography/CryptographyProvider$Companion;Ljava/security/SecureRandom;)Ldev/whyoleg/cryptography/CryptographyProvider;

cryptography-providers/jdk/src/jvmMain/kotlin/JdkCryptographyProvider.kt

@@ -14,57 +14,91 @@ import java.util.concurrent.*
 
 private val defaultProvider = lazy {
     val defaultSecurityProviders = loadViaServiceLoader().toList()
-    when (defaultSecurityProviders.size) {
-        0    -> CryptographyProvider.Companion.JDK()
-        1    -> CryptographyProvider.Companion.JDK(defaultSecurityProviders.single().provider.value)
-        else -> error("Multiple default JDK security providers found: $defaultSecurityProviders")
+    if (defaultSecurityProviders.size > 1) {
+        error("Multiple default JDK security providers found: $defaultSecurityProviders")
     }
+    JdkCryptographyProvider(defaultSecurityProviders.singleOrNull()?.provider?.value)
 }
 
+// uses default security provider registered
 public val CryptographyProvider.Companion.JDK: CryptographyProvider by defaultProvider
 
+// uses all providers registered in the system
 @Suppress("FunctionName")
+public fun CryptographyProvider.Companion.JDK(): CryptographyProvider = JdkCryptographyProvider(null)
+
+@Suppress("FunctionName")
+public fun CryptographyProvider.Companion.JDK(provider: Provider): CryptographyProvider = JdkCryptographyProvider(provider)
+
+@Deprecated(
+    message = "Secure random should be provided via CryptographySystem.setDefaultRandom",
+    level = DeprecationLevel.ERROR,
+    replaceWith = ReplaceWith("CryptographyProvider.JDK")
+)
+@Suppress("FunctionName", "DEPRECATION_ERROR")
 public fun CryptographyProvider.Companion.JDK(
     cryptographyRandom: CryptographyRandom = CryptographyRandom.Default,
 ): CryptographyProvider = JDK(cryptographyRandom.asSecureRandom())
 
-@Suppress("FunctionName")
+@Deprecated(
+    message = "Secure random should be provided via CryptographySystem.setDefaultRandom",
+    level = DeprecationLevel.ERROR,
+    replaceWith = ReplaceWith("CryptographyProvider.JDK(provider)")
+)
+@Suppress("FunctionName", "DEPRECATION_ERROR")
 public fun CryptographyProvider.Companion.JDK(
     provider: Provider,
     cryptographyRandom: CryptographyRandom = CryptographyRandom.Default,
 ): CryptographyProvider = JDK(provider, cryptographyRandom.asSecureRandom())
 
-@Suppress("FunctionName")
+@Deprecated(
+    message = "Overload with `provideName` is deprecated, use Security.getProvider(providerName) instead",
+    level = DeprecationLevel.ERROR,
+    replaceWith = ReplaceWith("CryptographyProvider.JDK(checkNotNull(Security.getProvider(providerName)))")
+)
+@Suppress("FunctionName", "DEPRECATION_ERROR")
 public fun CryptographyProvider.Companion.JDK(
     providerName: String,
     cryptographyRandom: CryptographyRandom = CryptographyRandom.Default,
 ): CryptographyProvider = JDK(providerName, cryptographyRandom.asSecureRandom())
 
+@Deprecated(
+    message = "Secure random should be provided via CryptographySystem.setDefaultRandom",
+    level = DeprecationLevel.ERROR,
+    replaceWith = ReplaceWith("CryptographyProvider.JDK(provider)")
+)
 @Suppress("FunctionName")
 public fun CryptographyProvider.Companion.JDK(
     secureRandom: SecureRandom,
-): CryptographyProvider = JdkCryptographyProvider(null, secureRandom)
+): CryptographyProvider = JdkCryptographyProvider(null)
 
+@Deprecated(
+    message = "Secure random should be provided via CryptographySystem.setDefaultRandom",
+    level = DeprecationLevel.ERROR,
+    replaceWith = ReplaceWith("CryptographyProvider.JDK(provider)")
+)
 @Suppress("FunctionName")
 public fun CryptographyProvider.Companion.JDK(
     provider: Provider,
     secureRandom: SecureRandom,
-): CryptographyProvider = JdkCryptographyProvider(provider, secureRandom)
+): CryptographyProvider = JdkCryptographyProvider(provider)
 
+@Deprecated(
+    message = "Overload with `provideName` is deprecated, use Security.getProvider(providerName) instead",
+    level = DeprecationLevel.ERROR,
+    replaceWith = ReplaceWith("CryptographyProvider.JDK(checkNotNull(Security.getProvider(providerName)))")
+)
 @Suppress("FunctionName")
 public fun CryptographyProvider.Companion.JDK(
     providerName: String,
     secureRandom: SecureRandom,
 ): CryptographyProvider {
     val provider = checkNotNull(Security.getProvider(providerName)) { "No provider with name: $providerName" }
-    return JdkCryptographyProvider(provider, secureRandom)
+    return JdkCryptographyProvider(provider)
 }
 
-internal class JdkCryptographyProvider(
-    provider: Provider?,
-    secureRandom: SecureRandom,
-) : CryptographyProvider() {
-    private val state = JdkCryptographyState(provider, secureRandom)
+internal class JdkCryptographyProvider(provider: Provider?) : CryptographyProvider() {
+    private val state = JdkCryptographyState(provider)
     override val name: String = when (provider) {
         null -> "JDK"
         else -> "JDK (${provider.name})"

cryptography-providers/jdk/src/jvmMain/kotlin/JdkCryptographyState.kt

@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 2023-2024 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ * Copyright (c) 2023-2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
  */
 
 package dev.whyoleg.cryptography.providers.jdk
 
 import dev.whyoleg.cryptography.*
 import dev.whyoleg.cryptography.algorithms.*
+import dev.whyoleg.cryptography.random.*
 import java.util.concurrent.*
 
-//candidate for context receivers
-internal class JdkCryptographyState(
-    private val provider: JProvider?,
-    val secureRandom: JSecureRandom,
-) {
+//candidate for context parameters
+internal class JdkCryptographyState(private val provider: JProvider?) {
+    // TODO: move to something global?
+    val secureRandom: JSecureRandom = CryptographySystem.getDefaultRandom().asSecureRandom()
 
     private val ciphers: ConcurrentHashMap<String, Pooled<JCipher>> = ConcurrentHashMap()
     private val messageDigests: ConcurrentHashMap<String, Pooled<JMessageDigest>> = ConcurrentHashMap()